Inside Microsoft's Network Identity Framework

As Microsoft gets set to deliver its newly unveiled cloud-based services centered
on the Windows
Azure platform and Live Framework, the company's new identity management
roadmap will be the key to addressing concerns about security and authentication.

The company outlined several key deliverables at last week's Professional Developers
Conference, including its new
Geneva Server, which was released for beta testing last week. Microsoft
uses a claims-based model for accessing systems that may reside in any number
of datacenters, among multiple parties as well as those residing in cloud services.

Claims-based identity assigns attributes to an individual, such as an e-mail
address or Social Security number issued by a security token service (STS),
which allow systems and applications to share information in a secure transaction
with corresponding systems.

Geneva (formerly known as "Zermatt") and Live Identity Services look
to fulfill the ambitious goal of allowing developers to easily build federated
identity management into their apps.

"What we are trying to achieve here is one identity model that puts users
firmly in control of their identities," said Kim Cameron, Microsoft's chief
architect of identity and a Microsoft distinguished engineer, speaking at the
PDC. "The goal is, you write a pure application once, you run it anywhere,
in any kind of deployment scenario."

Geneva Software Stack
On the software side, Geneva consists of three core components: the Geneva Server,
an STS that manages user access and distributes and transforms claims; Geneva
CardSpace, which lets developers build client-based authentication; and Geneva
Framework, a set of .NET-based class libraries and SDKs. The Geneva Server is
integrated with Microsoft Active Directory as well as Windows CardSpace, which
accepts and receives digital tokens that allow users to control their digital
identities.

A new version of Windows CardSpace will offer improved performance and a smaller
footprint, and will be tuned to work with the Geneva Server which, in addition
to supporting Active Directory, is compatible with Web services standards including
the Security Assertion Markup Language 2.0 (SAML), WS-Federation and WS-Trust.

Vittorio Bertocci, a senior architect evangelist, demonstrated a federated
SAML-based link between Geneva and a site based on IBM's Tivoli Federated Identity
Manager. Bertocci told attendees it took less than five hours to make it work.

Live Identity Services
The services-based counterpart to Geneva will consist of three core components:
Live Identity Services, the Microsoft Federation Gateway (MFG) and .NET Access
Control Service.

The MFG is a backbone that will connect Geneva via Active Directory, or competing
STSes that may have other directory services or user databases to Azure and
hosted applications such as SharePoint and Exchange, and developer services
such as .NET Services and SQL Services, according to Cameron.

MFG is in production now, while Microsoft released
a CTP of the Microsoft Services Connector, a fixed function server that
connects Active Directory to MFG. A full beta is planned for the first half
of next year.

Also on the services side, Microsoft announced the .NET Access Control Service,
which allows individuals to control their identities. It consists of a portal,
a client API and the STS. Cameron described the service as a next-generation
STS. "It takes in authentication claims and puts out authorization decisions,"
he said. "You put your rules in there about who can access what."

If Microsoft can deliver on that promise, that would make life a lot easier
for Joe Christopher, vice president at HealthStream, a Nashville-based company
that provides both education and research for hospitals nationwide via the Internet.

"Today there's a lot of custom glue," Christopher said in an interview
at PDC right after hearing Cameron's presentation. "There's a lot of plumbing
that's built manually by our site, a third-party site, and it requires a lot
of working out data exchanges and working out how do we keep those up to date
real time."

Live ID Will Work With OpenID
Cameron also announced that Microsoft will let the 460 million users of its
Live ID service use their credentials to log in to any site that supports the
OpenID 2.0 standard. OpenID is shows promise as a de facto authentication standard
that transfers existing URIs into an account that can be used at sites that
support OpenID access. Among those that support it are AOL, Flickr, Technorati,
WordPress and Yahoo, according to the OpenID Foundation. That means users will
be able to use their Live ID credentials to log in to those and other OpenID
sites. For example, if you have a My Yahoo account, you'll be able to use your
Live ID to log in to it.